When running a Tor relay behind a consumer-grade router (or a crappy piece of
plastic like the routers provided by Vodafone), it can bring
the router to a grinding halt. A tor relay connects to multiple other relays,
sometimes with 1000 connections or more. Turns out that the NAT implementation
in those routers isn’t that good.

I was looking for a way to limit the connections a Tor relay can open. First I
tried the good ol’ iptables:

This limits the connections on port 9001 to 1000. Turns out, that wasn’t such a good idea. My relay appeared offline in
the Tor relay search.

After asking on the mailing list, I got the hint
that the way to go is not to block the connections in the firewall, but to limit the number of open files of the tor process.

My Tor relay has been started from systemd, so I added the LimitNOFILE = 1000 to the unit. This limits the number of open
file descriptors to 1000.

Turns out, this isn’t such a good idea either. The relay still appears offline. You need at least 6000 file descriptors to
run a relay. Which my crappy router doesn’t support. So I’m going to run a bridge.

But in case you want to limit tors connection count, use the NOFILE limit.